Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Enterprise- Adding Certificates in GUI doesn't add to Java Trust Store

Lynch, | Last updated: Oct 28, 2021 06:07PM UTC

Hello, I have our internal certificates added to Burp Enterprise's GUI, however, upon running a scan against a website that has the proper internal certificate chain trust, we still get the medium TLS Certificate finding. I've read other posts about adding these certificates manually to the Java Store, however, every time burp/java updates, it will overwrite them, and it's a very manual process to be constantly replacing. Is there no way that these GUI certs could also be added automatically to the java store?

Maia, PortSwigger Agent | Last updated: Oct 29, 2021 03:08PM UTC

Hi, Thanks for your message. Currently, there is no way to do this through the UI. We do have a feature request logged to address the issue and I have linked this request to the feature both to record your interest in it and so we can let you know when there is an update. We don't have any timescales for this just yet I'm afraid. In the meantime, would marking these issues as false positives (which would allow you to exclude them from reports) or turning off this particular scan check in the scan configuration be an option? You can read more about handling false positives here: https://portswigger.net/burp/documentation/enterprise/working/scan-results/false-positives I hope this helps, please let us know if you have any further questions in response to the above.

Wayne | Last updated: Mar 12, 2024 05:34AM UTC

Do we have this available now. I do see upload certificate in Settings > Network but as Lynch said upload cert doesn't modify the Java Trust Store.

Maia, PortSwigger Agent | Last updated: Mar 12, 2024 11:28AM UTC

This feature request has not been progressed, but is still active, so I have added your +1. The current way of dealing with the TLS Certificate issue finding is to mark the issue as a false positive (which would allow you to exclude it from reports) or to turn off this particular scan check using a custom scan configuration. The certificates section on the Network page only applies to the Enterprise server. These certificates are not used with scans. You can find more details here: https://portswigger.net/burp/documentation/enterprise/user-guide/post-installation-config/managing-certificates

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.